The Invisible Army: Why IP Reputation Fails Against the Rotation Economy

GreyNoise research highlights a critical shift in attacker infrastructure, revealing that traditional IP reputation systems are increasingly ineffective against the "rotation economy." Analysis of 4 billion sessions over 90 days indicates that 39% of unique IPs targeting network edges originate from residential address space, making them indistinguishable from legitimate user traffic. Furthermore, 78% of these malicious IPs vanish after only one or two sessions, evading reputation flagging mechanisms entirely. This widespread use of residential proxies significantly undermines perimeter defenses reliant on source IP blocking. Organizations must adapt their detection strategies by shifting focus from traffic origin to traffic behavior. Implementing behavioral analysis and anomaly detection is crucial to identifying malicious activity regardless of the IP source. This trend suggests a broader operational security improvement among threat actors, necessitating updated defensive postures to maintain visibility into inbound threats targeting enterprise edges.

Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing.

GreyNoise research highlights a critical shift in attacker infrastructure, revealing that traditional IP reputation systems are increasingly ineffective against the "rotation economy." Analysis of 4 billion sessions over 90 days indicates that 39% of unique IPs targeting network edges originate from residential address space, making them indistinguishable from legitimate user traffic. Furthermore, 78% of these malicious IPs vanish after only one or two sessions, evading reputation flagging mechanisms entirely. This widespread use of residential proxies significantly undermines perimeter defenses reliant on source IP blocking. Organizations must adapt their detection strategies by shifting focus from traffic origin to traffic behavior. Implementing behavioral analysis and anomaly detection is crucial to identifying malicious activity regardless of the IP source. This trend suggests a broader operational security improvement among threat actors, necessitating updated defensive postures to maintain visibility into inbound threats targeting enterprise edges. Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing. Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing.